I am trying to understand how the anti-virus software create/manage the virus signatures.
This article gives me some idea how the signature is created. When a new virus is found, you can run a 'decoy' program to collect as much as possible variance of the virus, and then compare them to get the candidate signatures. In order to avoid 'false positive', the candidate signature may run against a large volume of the good data to obtain unique signature for the virus.
Here is another blog regarding how to create the clamav signatures. A detail explain to eicar virus test file.
A nice web site regarding the virus analysis.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Tuesday, December 28, 2010
Saturday, October 9, 2010
decrypt the web page encrypted using HTML Guardian
After open the page, instead of using view the source, in the address bar, input:
javascript:var sorc=document.documentElement.outerHTML;document.open("text/plain");document.write(sorc);
javascript:var sorc=document.documentElement.outerHTML;document.open("text/plain");document.write(sorc);
Thursday, September 23, 2010
Write safe code
In these days, I come cross a few vulnerability of squid. Here are some lessons learned:
(1) strcmp
If you pass the strcmp with NULL pointer, the behavior is undefined and program may crash. Also check the NULL, '\0' and string can be trivial. This assumes that the str1 and str2 is end with '\0':
int compare(char* str1, char* str2)
{
if (str1==NULL || str2==NULL)
{
if (str1==str2)
return 0;
if (str1==NULL)
return -1;
if (str2==NULL)
return 1;
}
return strcmp(str1,str2);
}
(2) check the minor major version in HTTP header.
Squid was using this code to get numeric version number from HTTP header (HTTP/1.1...):
//assume the data stored in buffer, assume we only care about major digit now..
int maj=-1;
if (buffer see line end)
maj=1;
else
return;
for (pos=verStart; isdigit(buffer[pos]); pos++)
{
maj = maj * 10;
maj = maj + (hmsg->buf[i]) - '0';
}
//The maj should never be -1 until it is overflow at 65536
assert(maj!=-1)
(3) Recently, there is a vulnerablity in bzip2 code
int N, result;
while (buffer not end)
{
//read buffer;
result+=N*2;
}
Here the result is signed integer and it may overflow, which cause undefined behavior.
(1) strcmp
If you pass the strcmp with NULL pointer, the behavior is undefined and program may crash. Also check the NULL, '\0' and string can be trivial. This assumes that the str1 and str2 is end with '\0':
int compare(char* str1, char* str2)
{
if (str1==NULL || str2==NULL)
{
if (str1==str2)
return 0;
if (str1==NULL)
return -1;
if (str2==NULL)
return 1;
}
return strcmp(str1,str2);
}
(2) check the minor major version in HTTP header.
Squid was using this code to get numeric version number from HTTP header (HTTP/1.1...):
//assume the data stored in buffer, assume we only care about major digit now..
int maj=-1;
if (buffer see line end)
maj=1;
else
return;
for (pos=verStart; isdigit(buffer[pos]); pos++)
{
maj = maj * 10;
maj = maj + (hmsg->buf[i]) - '0';
}
//The maj should never be -1 until it is overflow at 65536
assert(maj!=-1)
(3) Recently, there is a vulnerablity in bzip2 code
int N, result;
while (buffer not end)
{
//read buffer;
result+=N*2;
}
Here the result is signed integer and it may overflow, which cause undefined behavior.
Friday, May 28, 2010
SSL ciphers difference
I am looking at the difference of these ciphers after I run
openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
As it states, they are all used in SSLv3, encryption is AES(256), and Message authentication codes is SHA1
the DHE-xxx use Diffie-Hellman (need authentication) key exchange, but the AES256-SHA uses RSA (both digital signing and encrypting data) key exchange. The Auth difference between RSA and DSS (Digital Signature standard). Verify the DSA a little bit slow.
openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
As it states, they are all used in SSLv3, encryption is AES(256), and Message authentication codes is SHA1
the DHE-xxx use Diffie-Hellman (need authentication) key exchange, but the AES256-SHA uses RSA (both digital signing and encrypting data) key exchange. The Auth difference between RSA and DSS (Digital Signature standard). Verify the DSA a little bit slow.
Monday, May 10, 2010
How the google ratproxy works
The google ratproxy is used to find the potential web risk, specially, the XSS.
(1) Get the request and response
(2) Refer request header: whether the parameter contains the session tokens("token", "once", "secret", "secid", "auth", "=tok", "=sig") to detect the token leakage.
(3) When the response MIME type is active content type, it may warn "external code inclusion":
"text/html", /* HTML */
"application/xhtml+xml", /* XHTML */
"application/java-vm", /* Java class */
"application/java-archive", /* Java JAR */
"application/x-shockwave-flash", /* Flash */
"video/flv", /* Flash */
"video/x-flv", /* Flash */
(4) If it detects the POST request, it may warn "Cross-domain POST requests"
(5) Now check the URL and response
"iso8859-1", /* Valid Western */
"iso-8859-1", /* Invalid but recognized */
"iso8859-2", /* Valid European */
"iso-8859-2", /* Invalid but recognized */
"iso8859-15", /* ISO-8859-1, new and improved */
"iso-8859-15", /* ISO-8859-1, new and improved */
"windows-1252", /* Microsoft's Western */
"windows-1250", /* Microsoft's European */
"us-ascii", /* Old school but generally safe */
WARNING: Please note that "harmless" misspellings such as
'utf8' or 'utf_8' are *not* harmless, and may trigger utf-7
XSSes. Do not add these to the list unless thoroughly
validated.
(1) Get the request and response
(2) Refer request header: whether the parameter contains the session tokens("token", "once", "secret", "secid", "auth", "=tok", "=sig") to detect the token leakage.
(3) When the response MIME type is active content type, it may warn "external code inclusion":
"text/html", /* HTML */
"application/xhtml+xml", /* XHTML */
"application/java-vm", /* Java class */
"application/java-archive", /* Java JAR */
"application/x-shockwave-flash", /* Flash */
"video/flv", /* Flash */
"video/x-flv", /* Flash */
(4) If it detects the POST request, it may warn "Cross-domain POST requests"
(5) Now check the URL and response
- Is there any echoed query parameter in response body?
- Is there any echoed query parameter in response headers?
- check whether the URL contains the authentication fields? "login","user", "sess","account","pass"
- re-send without cookie to double check whether it is a request require authentication
- Sniff the char set in response body. The valid charset is:
"iso8859-1", /* Valid Western */
"iso-8859-1", /* Invalid but recognized */
"iso8859-2", /* Valid European */
"iso-8859-2", /* Invalid but recognized */
"iso8859-15", /* ISO-8859-1, new and improved */
"iso-8859-15", /* ISO-8859-1, new and improved */
"windows-1252", /* Microsoft's Western */
"windows-1250", /* Microsoft's European */
"us-ascii", /* Old school but generally safe */
WARNING: Please note that "harmless" misspellings such as
'utf8' or 'utf_8' are *not* harmless, and may trigger utf-7
XSSes. Do not add these to the list unless thoroughly
validated.
- Try_replay_xsrf: set all the session tokens in the request to clobber value, and then send it again to the server, then compare the md5 of the result.
- The header based check: for example, authentication header but not 40x response.
- HTTP redirect: detect 302 response with location header: is the host name in the request query parameter or payload?
- Check the redirect in payload: HTTP-EQUIV=\"Refresh\"
- Handle Content-Type: multipart/form-data ??
- If the response and request cookies are the same, Cookie issuer with no XSRF protection
- POST requests that do not require authentication are interesting
- Multiple "Content-Type or Content-Disposition" headers
- Misstated Content-Length: pay load greater than the content-length header
- Check cross domain POST request: the request host and refer host is different.
- Cacheable SetCookie: Check if the web page can be cached and with the cookie/auth
- Missing charsets and typos lead to UTF-7 cross-site scripting.
- content sniffing and content-type mismatch
- Echoed markup in a query is bad.
- File path in query parameters: Non-echoed paths in query are often bad
- Java method names in a query are bad.
- Javascript code in a query is bad; ignore alert(...) though, as this is almost always a sign of manual XSS testing, not a legitimate functionality.
- SQL statement in a query is bad.
- Check for OGNL-style parameter names.
- Check for what looks like JSON with inline HTML (we skip standalone scripts,as they often contain static HTML to be rendered). We do some basic quotestate tracking not to get confused by regular arithmetic. No commenttracking, but that shouldn't break easily.
- Response with directory index: "\>[To Parent Directory]\<" "\
- javascript .write(, .writeln(, .innerHtml, .outerHtml, document.referrer, document.domain
Tuesday, April 13, 2010
Detect OpenSSL errors
I want to detect detail openSSL client certificate error after call SSL_accept(). This can be found from the reason:
Unknown Client CA: SSL_R_TLSV1_ALERT_UNKNOWN_CA
No Client Certificate: SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
Certificate expired: SSL_R_NO_CERTIFICATE_RETURNED
The interesting is when client certificate is expired, it did not return SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, instead, it returns SSL_R_NO_CERTIFICATE_RETURNED.
Unknown Client CA: SSL_R_TLSV1_ALERT_UNKNOWN_CA
No Client Certificate: SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
Certificate expired: SSL_R_NO_CERTIFICATE_RETURNED
The interesting is when client certificate is expired, it did not return SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, instead, it returns SSL_R_NO_CERTIFICATE_RETURNED.
Monday, January 25, 2010
ssl vpn
Yesterday I got a chance to take a look at a SSL VPN. The endpoint can download an ActiveX contorl from a secure web site after logon it. This ActiveX control will create a virtual adaptor, assign a user a virtual private IP. The traffic to the intranet will be intercepted and forward to this virtual adaptor (by chaning routing table?), and then a SSL tunnel is used to establish connections to the web servers.
The main advanatages of the SSL VPN are:
The main advanatages of the SSL VPN are:
- Do not have to install VPN client. You only need a browser
- Provides granularity for access control.
- Use port 443 opened by most firewalls.
Subscribe to:
Posts (Atom)